diff options
| author |  Jacob Groß <kurtextrem@gmail.com>
| 2025-01-20 16:26:46 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-01-20 16:26:46 +0100 |
| commit | f64b73cb8aaae02c52fa438ac8361044cf67f6dc (patch) | |
| tree | 535a574f23c5505c4e9b4a5143865346302d97db | |
| parent | 9cc46f66e9c3b83f6a79d03bc5ee442ae97683f6 (diff) | |
| download | astro-f64b73cb8aaae02c52fa438ac8361044cf67f6dc.tar.gz astro-f64b73cb8aaae02c52fa438ac8361044cf67f6dc.tar.zst astro-f64b73cb8aaae02c52fa438ac8361044cf67f6dc.zip | |
feat(server-islands): only encode ETAGO delimiter (#11513)
Co-authored-by: Matt Kane <m@mk.gg>
Co-authored-by: Florian Lefebvre <contact@florian-lefebvre.dev>
4 files changed, 26 insertions, 6 deletions
diff --git a/.changeset/fifty-socks-end.md b/.changeset/fifty-socks-end.md new file mode 100644 index 000000000..8b4476fbc --- /dev/null +++ b/.changeset/fifty-socks-end.md @@ -0,0 +1,5 @@ +--- +'astro': patch +--- + +Updates the server islands encoding logic to only escape the script end tag open delimiter and opening HTML comment syntax diff --git a/packages/astro/src/runtime/server/render/server-islands.ts b/packages/astro/src/runtime/server/render/server-islands.ts index e45b1e6d4..093254cd3 100644 --- a/packages/astro/src/runtime/server/render/server-islands.ts +++ b/packages/astro/src/runtime/server/render/server-islands.ts @@ -15,13 +15,19 @@ export function containsServerDirective(props: Record<string | number, any>) { return 'server:component-directive' in props; } +const SCRIPT_RE = /<\/script/giu; +const COMMENT_RE = /<!--/gu; +const SCRIPT_REPLACER = '<\\/script'; +const COMMENT_REPLACER = '\\u003C!--'; + +/** + * Encodes the script end-tag open (ETAGO) delimiter and opening HTML comment syntax for JSON inside a `<script>` tag. + * @see https://mathiasbynens.be/notes/etago + */ function safeJsonStringify(obj: any) { return JSON.stringify(obj) - .replace(/\u2028/g, '\\u2028') - .replace(/\u2029/g, '\\u2029') - .replace(/</g, '\\u003c') - .replace(/>/g, '\\u003e') - .replace(/\//g, '\\u002f'); + .replace(SCRIPT_RE, SCRIPT_REPLACER) + .replace(COMMENT_RE, COMMENT_REPLACER); } function createSearchParams(componentExport: string, encryptedProps: string, slots: string) { diff --git a/packages/astro/test/fixtures/server-islands/ssr/src/pages/index.astro b/packages/astro/test/fixtures/server-islands/ssr/src/pages/index.astro index d42973294..c97cf4718 100644 --- a/packages/astro/test/fixtures/server-islands/ssr/src/pages/index.astro +++ b/packages/astro/test/fixtures/server-islands/ssr/src/pages/index.astro @@ -1,5 +1,7 @@ --- import Island from '../components/Island.astro'; + +const xssMe ="</script><script>alert('xss')</script><!--" --- <html> <head> @@ -7,6 +9,6 @@ import Island from '../components/Island.astro'; </head> <body> <h1>Testing</h1> - <Island server:defer /> + <Island server:defer message={xssMe} /> </body> </html> diff --git a/packages/astro/test/server-islands.test.js b/packages/astro/test/server-islands.test.js index 96b58354e..c62b383ca 100644 --- a/packages/astro/test/server-islands.test.js +++ b/packages/astro/test/server-islands.test.js @@ -37,6 +37,13 @@ describe('Server islands', () => { assert.equal(serverIslandEl.length, 0); }); + it('HTML escapes scripts', async () => { + const res = await fixture.fetch('/'); + assert.equal(res.status, 200); + const html = await res.text(); + assert.equal(html.includes("</script><script>alert('xss')</script><!--"), false); + }); + it('island is not indexed', async () => { const res = await fixture.fetch('/_server-islands/Island', { method: 'POST', |